Abstract

The exponential growth of social media and medical blogging in recent years at created a liability risk for physicians. This exponential growth makes it essential for physicians to understand the intersection of the Health Insurance Portability and Accountability Act (HIPPA) and Internet blogging. The intersection of HIPPA and Internet bloggers is a complex overlapping subset with potential legal risk for physician bloggers. .

Keywords

HIPAA; Social media; Internet blogger; Protected health information; Liability

Reflections in Internal Medicine

There has been an exponential growth of social media and medical blogging in recent years. This exponential growth makes it imperative for physicians to understand the complex intersection of the Health Insurance Portability and Accountability Act (HIPPA) and Internet blogging. The intersection of HIPPA and Internet bloggers puts physician at risk for liability.

Friction exits between HIPPA and Internet blogging because HIPPA seeks to protect patient information and blogging attempts to share information. This tension compels an understanding of the competing goals. This understanding mandates knowledge of what is Protected Health Information (PHI) and what is blogging.

PHI means individually identifiable health information that is conveyed by electronic media, preserved in electronic media or is transmitted or maintained in another medium. Health information is defined as any information, chronicled in form or medium, that is created or received by a health care provider, health plan, employer, health authority, life insurer, university, or health care clearing house and relates to present, past or future physical or mental health of an individual, or the past, present, or future payment for the provision of health care to an individual. Individually identifiable information is defined as information that is a subset of health information, including demographic information that is collected from an individual [1].

A blog is an online forum typically created by an individual who self publishes his or her commentary, opinions, description of events, videos and pictures using the Internet as medium of free exchange. Bloggers often seek to promote its services or products. Blogs often allow readers to join in on online conversation. Blogging allows an individual to have a voice and to create a dialogue that allows a following that may be impacted in their thinking about a subject, issue, or dispute. Here in lies the power of social media.

Physicians must understand how to traverse the intersection of HIPPA and blogging through social media. A covered entity may use PHI for treatment, payment or health care operations [2]. In the social media context blogging would not fall under the purview of treatment, payment, or health care operations. Therefore, a blog should not include any information about a patient that would qualify as PHI without a patient’s written authorization. The usage of PHI without patient consent a user must erase it personal nature by de-identifying the information of PHI.

HIPPA provides that “health information that does not identify an individual with respect to which there is no reasonable basis to believe that information can be used to identify an individual is not individually identifiable information” [3].

A covered entity may de-identify PHI by hiring an expert who has knowledge of and experience with generally accepted scientific principles and methods for rendering information as not individually identifiable [4]. Alternatively a covered entity seeking to de-identify PHI is for the covered entity to remove the following identifiers from PHI in its blogs: names, all geographic subdivisions, all elements of dates including birth dates, admissions dates, discharge dates, date of death, telephone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers, device identifiers and serial numbers, IP addresses, web universal resource locators, biometric identifiers such as finger prints and voice prints, facial or comparable images, and any unique identifying number, characteristic or code [3].

The increased use of social media and the generation of usergenerated information shared by one self supplies a all-encompassing deep-sea of identifying information. Even with only the seat number on an airplane a person’s identity can be quickly revealed [4].

Physicians and medical staff must remain sensitive and vigilant to the poetical risks of sharing innocuous information a medical blog that may be combined with the mega Internet databases that could enable a third party to discover a patient’s identity in violation of HIPPA.

According to Congress, HIPPA’s purpose is “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long term care services and coverage, to simplify the administration of health insurance and for other purposes.” One of the “other purposes” is certainly to protect the individual’s privacy rights in their confidential medical information [5].

All physicians must understand: Ignorance is not a defense.

References

1. HIPPA, 45 C.F.R. & 160.103 (1996)
2. HIPPA && 164.502, 506.
3. HIPPA & 164.514
4. Alyson M Palmer. TB Patient tries to Revive Privacy Lawsuit Against Center for Disease Control, Law. Com. 2010; 22:22: 3.
5. HITECT ACT, The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164. 2009.